There are a number of elements regarding the schedule of a corporate IT security project and the related ISAPs. The overall schedule may be dictated by a planned, future event such as the company going public via an Initial Public Offering (IPO) or a requirement to be compliant with a particular set of regulations by a certain deadline, or maybe by a deadline determined by the executive team. These are external constraints that must be considered as you build your project plan. If schedule (time) is your top priority, you already know that something else will have to "give" if the project runs into problems (which almost all projects do at one time or another). In this case, you need to plan for the possibility that you will need to add more people to your project if work is delayed for any reason.You also need to be ready to scale your scope back a bit if you fall behind schedule. The corporate IT security plan will have to be the most flexible, because it will have to accommodate the changes to all the underlying ISAPs and it will also have to provide a thorough, integrated approach to corporate security as a whole.

In addition, you may set high-level target completion dates for various elements of your project and then set your more detailed schedule based on the ISAP schedules you develop. For example, you may choose to complete a Web security project plan first, because you know your Web systems are most vulnerable at this time.You expect that project to take two months to complete.You might choose to begin the planning stages of your infrastructure project plan, because you want to begin implementing it as soon as possible.You may also be able to utilize different members of your IT staff so that you can run these projects in parallel. These are the kinds of things you can decide on regarding your schedule when you take a holistic, system-wide look at your security initiatives.

